Hacker steals data of 1 billion citizens of the Peoples Republic of China
July 6, 2022 |
When I first starting writing about privacy and data security data breaches involved low thousands of records compromised. It didn’t take long for data breaches to involve many thousands of records and occasionally over a hundred thousand records. In the last decade the ability and desire of government, organisations and businesses to collect masses of data has increased exponentially. Storage capacity increased as did the ability of analysing the data with the use of algorithms. Analytics is now a sophisticated discipline and its products have made businesses wealthy. Increased collection,use and storage of data has been matched by increased hacking into systems. Personal information provides valuable source material for identity theft and other forms of fraud. And many businesses and government agencies have traditionally had a terrible record in maintaining proper privacy protections and cyber security systems.
Now data breaches regularly involve millions of records, occasionally tens of millions of records. But not records of a billion people. Until now. Data Breach today reports in Unknown Hacker Steals Data of 1 Billion Chinese Citizens that an configuration error in Alibaba’s private cloud server resulted in a data breach involving a billion individuals. The data was collected by Shanghai National Police and taken from its database. The information was a hackers dream; names, home addresses, identification number and phone numbers. That data, 23 terrabyte’s worth, is being offered for sale on a hacker forum for 10 Bitcoin (or over $200,000).
The story has been reported widely with Reuters, ABC, Bleeping Computer and the Guardian reporting on the breach among many others. China, being China, such a bad news story has been censored. This can have the potentially disastrous outcome of victims not knowing what happened to their personal information and not being able to do anything to protect themselves. It is the antithesis of good practice.
The Data Breach today story provides:
A misconfigured Alibaba private cloud server has led to the leak of around 1 billion Chinese nationals’ personal details. An unknown hacker, identified as “ChinaDan,” posted an advertisement on a hacker forum selling 23 terabytes of data for 10 bitcoin, equivalent to about $200,000.
See Also: Fireside Chat | Zero Tolerance: Controlling The Landscape Where You’ll Meet Your Adversaries
Touted as one of the largest data breaches in history, the data was allegedly stolen from the Shanghai National Police database, which contains Chinese nationals’ personal details, including names, home addresses, criminal records, and ID and phones numbers.
“Our threat intelligence detected 1 billion resident records for sale in the dark web, including name, address, national id, mobile, police and medical records from one Asian country. Likely due to a bug in an Elastic Search deployment by a gov agency,” says a Tweet by Changpeng Zhao, founder and chief executive officer of cryptocurrency exchange Binance. “This has impact on hacker detection/prevention measures, mobile numbers used for account take overs, etc.”
Information Security Media Group could not confirm the authenticity of the data leaked.
A report from Bleeping Computer, however, claims that ChinaDan also shared a sample with 750,000 records containing ID information and police call records. It says that this sample allows interested buyers to verify the data.
“In 2022, the Shanghai National Police (SHGA) database was leaked. This database contains many TB of data and information on billions of Chinese citizens,” says the threat actor in their post on Breach Forums, a marketplace that hackers and threat actors use to buy and sell data.
Chinese Regulation
Kendra Schaefer, head of tech policy research at Beijing-based consultancy Trivium China, says on Twitter that China’s Personal Information Protection Law, which came out late last year, requires government bodies to protect the information of citizens.
“It’s hard to parse truth from rumor mill, but can confirm file exists. If the source is indeed MPS, that would be, erm… bad, for a number of reasons. Most obviously, it would be among biggest and worst breaches in history,” Schaefer tweeted.
Schaefer also says that the records allegedly contain details on case files of minors, which would be a violation of the Minor Protection Law.